Reviewing Bruce Schneier’s 2004 book Secrets and Lies, much of which was written in 2000, reminds us of something really basic. You can’t just fix security. Security is a process, most of which is about knowing what’s going on. Detection is more important than prevention. To which I add that for detection we need comparable Internet-wide metrics on security performance so every organization can see what’s going on and will have incentive to do something about it because its customers and competitors can see, too. Sound familiar? That’s what SpamRankings.net is about.
Joe Zack posted in Joezack.com on Bastille Day, 14 July 2013, Secrets and Lies: Nine Years Later,
2. “Detection is much more important than prevention”
Schneier keeps coming back to this point. He had this epiphany in 1999 that “it is fundamentally impossible to prevent attacks” and “preventative countermeasures fail all the time.” Security is “about risk management, that the process of security was paramount, that detection and response was the real way to improve security.” (emphasis mine)
I had formerly thought of security as largely being about prevention. A year ago, if you have asked me about “InfoSec” I might have prattled on about firewalls, injection attacks, encryption and good passwords. That’s still important, but now I know that there’s a lot more to it.
Zack says he thinks Schneier was like Nostradamus for having such insight before NSA PRISM and even before Facebook. Sure, Bruce has always been ahead of his time. But that basic insight was not unique to him, and Continue reading
Codero jumped from #137 in May to #3 in the June 2013 U.S. from CBL volume. For that same month, Netcraft ranked Codero #1 for hosting reliability. Netcraft ranks worldwide, and in the worldwide SpamRankings.net, Codero came in #9, which is still very impressive. I guess spammers prefer reliability. Who wouldn’t?
German companies took 3 of the 5 top spots in the June 2013 World from CBL volume.
- #2 Online AG RZ‘s AS 24940 rose from #35, and
- #4 Internet AG‘s AS 8560 rose from #51.
- #5 AG‘s AS 6724 actually got better; it was #2 last month.
Relizon Canada Inc.’s AS 40034 RELIZON-CDN jumped from #134 to #3 in the May 2013 for Canada All from CBL data. On May Day CBL saw 1 spam message from AS 40034 and more than 3 million on May 31.
Relizon was not visible in the May Canada rankings from PSBL data, although internally we do see AS 40034 going from #208 to #109 by going from 11 spam messages in April to 26 in May. CBL’s heuristics or spam traps or both were apparently much better at detecting this particular spam source.
Relizon’s own website doesn’t seem to be responding at the moment, but Bloomberg Businessweek says they do business process outsourcing solutions, and were formerly known as Crain-Drummond Inc., with the name change coming on acquisition by the Carlyle Group.
Canada’s The Hospital for Sick Children AS 46626 SICKKIDS-AS-01 dropped out of the May 2013 for world medical organizations from CBL data. In April they ranked #1 with 21,912 spam messages, and in May they dropped to #27 with only 28 messages. In April they really only spammed for one week, as you can see in the big spike in the graph. Of course, the hospital itself probably didn’t knowingly send the spam; usually they’ve been compromised by botnets or phishing or some other breach, but hospital patients and other customers won’t necessarily know that if they receive some of it. And if their security is lax enough to let in things that emit spam, what else has been compromised? This is why hospitals are quick to squelch outgoing spam and fix the underlying security problems.
Zerofail’s AS 40191 AS-PRE2POST-1 jumped from 5 per day April 1st to more than a million spam messages many days in April, and from 413 total in March to almost 22 million in April. That made it #2 in the April 2013 for Canada from CBL data, and Zerofail kept second place in May with more than 18 million spam messages. This AS actually sent proportionally more of top 10 spam from Canada in May than in April because #1 iWeb’s AS 32613 sent a lot less in May. Where does all this Zerofail spam come from?
Medyabim Internet Services popped into the Turkish top 10 for May 2013, hopping up from #81 to #5. This happened starting about 23 May 2013, probably coincidentally about the same time as the disturbances around Taksim Square in Istanbul.
Previous chronic Turkish spam winner TTNET 9121 made it back to the top, and this time TTNET placed twice, with AS 47331 as #6. Together the two TTNET ASNs sent 49.26% of top 10 Turkish spam for May 2013.
AS 43391 NETDIREKT-TR and AS 42926 RADORETELEKOM battled through the whole month for spots #2 and #3.
In better news, Tamer Gigabitweb Turkey and DorukNet IstanbulTurkey dropped out of the Turkish top 10.
Also new this month are v2 rankings back to January 2013.
McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).
McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading
Comcast shows some of the biggest differences between Version 2 and the old version 1 of for April 2013. Comcast is in the U.S. top 10 either way, but with different Autonomous Systems: AS 7922 is #3 in v2 while AS 7015 of Comcast Cable Communications Holdings Inc is #8 in v1 and doesn’t even appear in the v2 top 250.
|AS 7015||AS 7922||netblocks assigned|