Category Archives: Prevention

Ranking needles

Pouring more money into infosec won’t make us more secure unless we know what’s working and what isn’t. Maybe we need a way to compare those things.

Tim White wrote for NYTimes 22 January 2014, Finding a Needle in a Digital Haystack,

LAST year the private sector spent $67.2 billion on cybersecurity services. Nevertheless, according to a recent investigation by Verizon, 60 percent of successful hacks were not detected until months after the attacks began. In the wake of recent high-profile hacker attacks against Target, Neiman Marcus and other retailers, the obvious question is: Why hasn’t all that money done any good?

It’s not for lack of trying. Much of the money is well spent, paying for armies of technical engineers and state-of-the-art security applications.

The problem is not the resources, or the personnel, or the data. It’s that many organizations simply don’t know how to arrange the data to identify suspicious patterns and weaknesses, at least not fast enough. There’s too much data, and not enough perspective.

What we need, then, is Continue reading

John Quarterman on Mapping Spam and Politics (audio)

At a meeting on a completely different subject, I was interviewed about SpamRankings.net. Here's the audio, and here's the blurb they supplied:

John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.

Quarterman took some time during Georgia River Network's Weekend for Rivers to speak with the Nonprofit Snapshot about spam-mapping and small town politics.

More about Elinor Ostrom's Nobel-prize-winning work on organizing the commons, and how that applies to SpamRankings.net.

The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:

WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.

-jsq

eCrime Summit in Prague 25-27 April 2012

These ecrime meetings are always interesting and useful. -jsq

Press release of 29 March:

Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27

CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.

CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.

CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.

Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.

Key presentations will include:

Continue reading

What other ASNs were affected by botnet Ogee in February 2012?

Previously we determined that nine ASNs that showed spam surges in the U.S. and Canadian top 10 SpamRankings.net for February 2012 were infested by the botnet Ogee and that spam came from that botnet. What other ASNs were affected by Ogee in the same time period?

Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:


Left Axis: Total Ogee volume (spam messages);
Right Axis: top 10 Ogee ASN volume (dotted curves)

It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.

New here are these three: Continue reading

Big U.S. Spam Spike in February 2012 SpamRankings.net

What could push the U.S. from 13 to 2 in worldwide SpamRankings.net, and way up to number one for the last week of February 2012?

In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!

NOC has had this problem before, in July and November 2011, but never with this amount of spam volume. And this time many other ASNs show the same pattern.

The same issue may be in the Canadian rankings as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.

There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.

Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.

-jsq

Coal company reputation

Good news from the SEC for a change! They’re requiring coal plant operators to report health and safety violations, including fatalities, within a few days of occurence.

FuelFix posted from AP on 23 December 2011, SEC requiring coal firms to report safety problems

Earlier this week, the SEC announced new rules that require mining companies to start reporting any fatalities and all major health and safety violations, mine by mine, in their quarterly and annual financial reports. The filings are mandated in the wide-ranging Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed to try to increase corporate accountability.

The rules take effect 30 days after publication in the Federal Register. They require companies to report within four days any “significant and substantial” violations, citations, flagrant violations and imminent-danger orders issued by the federal Mine Safety and Health Administration.

Coal operators must also include the dollar value of proposed fines, whether the company has been or may be designated a pattern violator by MSHA, and any pending cases with the Federal Mine Safety and Health Review Commission.

What problem does this reporting solve? As the article points out: Continue reading

World PM2.5 Map as reputation

NASA posted 22 October 2009, New Map Offers a Global View of Health-Sapping Air Pollution
In many developing countries, the absence of surface-based air pollution sensors makes it difficult, and in some cases impossible, to get even a rough estimate of the abundance of a subcategory of airborne particles that epidemiologists suspect contributes to millions of premature deaths each year. The problematic particles, called fine particulate matter (PM2.5), are 2.5 micrometers or less in diameter, about a tenth the fraction of human hair. These small particles can get past the body’s normal defenses and penetrate deep into the lungs.
Even satellite measurements are difficult (clouds, snow, sand, elevation, etc.). But not impossible:

Continue reading

“botnet herders can add it to its spam-spewing botnet” —Fahmida Y. Rashid in eWeek.com

This reporter spits out a string of alliterative language that labels the problem that SpamRankings.net helps diagnose.

Fahmida Y. Rashid wrote in eWeek.com 8 June 2011, UT Researchers Launch SpamRankings to Flag Hospitals Hijacked by Spammers:

“Poor security measures are generally responsible for employee workstations getting compromised, either by spam or malicious Web content. Once the machine is compromised, the botnet herders can add it to its spam-spewing botnet to send out malware to even more people. The original employee or the organization rarely has any idea the machine has been hijacked for this purpose.”
That’s a pretty good explanation for why outbound spam is a proxy for poor infosec.

-jsq

Transparency in Rome

Here’s my presentation, Transparency as Incentive for Internet Security: Organizational Layers for Reputation, from RIPE 61 in Rome. This presentation summarizes the two previous RIPE Labs papers about proposed new organizational layers and outbound spam ranking experiments.

RIPE-NCC is the oldest of the Regional Internet Registries (RIRs), and RIPE is the deliberately unorganized association of interested parties that meets twice a year and holds discussions online in between. It’s a mix of operations, research, and socializing. Topics range from obscure details of deploying IPv6 to organizational proposals such as what I was talking about. 430 people attended the meeting in Rome, which was quite a few more than the dozen or two of the first RIPE meeting I went to many years ago.

Interesting questions were asked. I may blog some of them.

-jsq

Outbound Spam Ranking Experiments

Should Uganda Telecom be counted as a Belgian ISP for outbound spam rankings?

Which matters most: history, topology, business headquarters location, or some other criterion?

These are some questions that come up in designing experiments in rolling out a reputation system for outbound spam. More on this in the RIPE Labs article (8 Nov 2010), Internet Reputation Experiments for Better Security.

Such experiments can draw on fifty years of social science research and literature, first crystalized as Social Comparison Theory by Leon Festinger in 1954, that indicate that making personal reputation transparent changes personal behavior. More recent research indicates that the same applies to organizations. Using anti-spam blocklist data, it is possible to make E-Mail Service Provider (ESP) behavior (banks, stores, universities, etc., not just ISPs) in preventing or stopping outbound spam transparent, and this paper is about experiments to see how the resulting reputation actually changes ESP behavior.

-jsq